Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
1,213 Views

nuc5i5ryh no longer Reports no longer meltdown/spectre "compliant"?

Howdy.

Long story short, since I installed April 2018 updates for my NUC5i5RYH (running Win10 1709 Enterprise edition), the Microsoft powershell cmdlet to check for spectre/meltdown mitigations no longer reports my machine as "protected" (or whatever you want to call it).

Here's the cmdlet snippet:

:

:

PS C:\Windows\system32> Get-SpeculationControlSettings

Speculation control settings for CVE-2017-5715 [branch target injection]

For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: False

Windows OS support for branch target injection mitigation is present: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

Windows OS support for branch target injection mitigation is enabled: False (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

Windows OS support for branch target injection mitigation is disabled by system policy: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: False

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

BTIHardwarePresent : False

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : False

BTIDisabledBySystemPolicy : True

BTIDisabledByNoHardwareSupport : True

KVAShadowRequired : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : False

KVAShadowPcidEnabled : False

:

:

My machine is running the 369 version of the BIOS as per the output of this:

:

:

PS C:\Windows\system32> wmic bios get smbiosbiosversion

SMBIOSBIOSVersion

RYBDWi35.86A.0369.2018.0305.1050

:

:

According to the release notes for this BIOS version here: https://downloadmirror.intel.com/27631/eng/RY_0369_ReleaseNotes.pdf https://downloadmirror.intel.com/27631/eng/RY_0369_ReleaseNotes.pdf , it should provide the hardware mitigation the cmdlet is looking for.

I'd like to say that prior to the April 2018 updates the cmdlet reported that hardware mitigation was in place, but I can't be 100% certain since I didn't document it.

(Just in case, here's the link to the get-speculationcontrol thing:

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrols... https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrols...

and here's the one to the aforementioned registry keys to disable mitigations at the client OS level:

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-... https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-...

)

Questions? Thoughts? Let me know if you need me to provide additional information on this.

0 Kudos
4 Replies
Highlighted
Community Manager
12 Views

Hello yoda-intelnuc

Thank you for joining the community.

Could you please help us with the fooling information.

In order to help you better, I would like to gather more information about the configuration you have on the computer. Please attach to this thread the TXT file the Intel® System Support Utility will generate: https://downloadcenter.intel.com/download/25293/Intel-System-Support-Utility https://downloadcenter.intel.com/download/25293/Intel-System-Support-Utility

Steps to save the report:

  1. Run the utility
  2. Click on "Scan" to get the scanned system
  3. Once the scan is complete click on "next"
  4. Use the "save" option, save the report to your desktop.
  5. To attach a file, you must click the "Attach" option on the bottom right-hand corner of the response box.

Could you share with us pictures of the tool with the output informing you that your system is vulnerable?

Please review your private inbox.

Regards,

Leonardo C.

0 Kudos
Highlighted
Beginner
12 Views

Leonardo_intel,

I have attached the output of the SSU utility as requested.

Also, here a screenshot of the output of the get-speculationcontrolsettings powershell cmdlet.

Please let me know if you need any more information.

0 Kudos
Highlighted
Community Manager
12 Views

Hello yoda-intelnuc

 

 

Thank you for your response and the information provided, please review your private inbox.

 

 

Regards,

 

Leonardo C.

 

0 Kudos
Highlighted
Community Manager
12 Views

Hello yoda-intelnuc

 

 

Thank you for your waiting.

 

 

Allow me to share with you that the BIOS 0369 has the update for the microcode as you have mentioned on your previous post in this case since the tool that you are using is form Microsoft we recommend to contact them in order for them to interpret the output and provide suggestions on how to proceed.

 

 

We do not have an official Spectre/Meltdown detection tool yet, thus our official recommendations are provided here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/.

 

 

Regards,

 

Leonardo C.

 

0 Kudos